CVE-2020-4027

MEDIUM

Atlassian Confluence < 7.4.5 and 7.5.0 - Authenticated Velocity Template Injection via Custom User Macros

Title source: llm
STIX 2.1

Description

Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1.

References (1)

Core 1
Core References
Issue Tracking, Patch, Release Notes, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/CONFSERVER-59898

Scores

CVSS v3 4.7
EPSS 0.0015
EPSS Percentile 34.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-74
Status published
Products (2)
atlassian/confluence < 7.4.5
atlassian/confluence_server 7.5.0 - 7.5.1
Published Jul 01, 2020
Tracked Since Feb 18, 2026